×

With Red Hat Advanced Cluster Security for Kubernetes (RHACS), you can configure your existing email provider to send notifications about policy violations. If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you can use your existing email provider or the built-in email notifier to send email notifications.

You can use the Default recipient field to forward alerts from RHACS and the RHACS Cloud Service to an email address. Otherwise, you can use annotations to define an audience and notify them about policy violations associated with a specific deployment or namespace.

Integrating with email on RHACS

You can use email as a notification method by forwarding alerts from RHACS.

Configuring the email plugin

The RHACS notifier can send email to a recipient specified in the integration, or it can use annotations to determine the recipient.

If you are using RHACS Cloud Service, it blocks port 25 by default. Configure your mail server to use port 587 or 465 to send email notifications.

Procedure
  1. Go to Platform ConfigurationIntegrations.

  2. Under the Notifier Integrations section, select Email.

  3. Select New Integration.

  4. In the Integration name field, enter a name for your email integration.

  5. In the Email server field, enter the address of your email server. The email server address includes fully qualified domain name (FQDN) and the port number; for example, smtp.example.com:465.

  6. Optional: If you are using unauthenticated SMTP, select Enable unauthenticated SMTP. This is insecure and not recommended, but might be required for some integrations. For example, you might need to enable this option if you use an internal server for notifications that does not require authentication.

    You cannot change an existing email integration that uses authentication to enable unauthenticated SMTP. You must delete the existing integration and create a new one with Enable unauthenticated SMTP selected.

  7. Enter the user name and password of a service account that is used for authentication.

  8. Optional: Enter the name that you want to appear in the FROM header of email notifications in the From field; for example, Security Alerts.

  9. Specify the email address that you want to appear in the SENDER header of email notifications in the Sender field.

  10. Specify the email address that will receive the notifications in the Default recipient field.

  11. Optional: Enter an annotation key in Annotation key for recipient. You can use annotations to dynamically determine an email recipient. To do this:

    1. Add an annotation similar to the following example in your namespace or deployment YAML file, where email is the Annotation key that you specify in your email integration. You can create an annotation for the deployment or the namespace.

      annotations:
        email: <email_address>
    2. Use the annotation key email in the Annotation key for recipient field.

      If you configured the deployment or namespace with an annotation, the RHACS sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.

      The following rules govern how RHACS determines the recipient of an email notification:

      • If the deployment has an annotation key, the annotation’s value overrides the default value.

      • If the namespace has an annotation key, the namespace’s value overrides the default value.

      • If a deployment has an annotation key and a defined audience, RHACS sends an email to the audience specified in the key.

      • If a deployment does not have an annotation key, RHACS checks the namespace for an annotation key and sends an email to the specified audience.

      • If no annotation keys exist, RHACS sends an email to the default recipient.

  12. Optional: Select Disable TLS certificate validation (insecure) to send email without TLS. You should not disable TLS unless you are using StartTLS.

    Use TLS for email notifications. Without TLS, all email is sent unencrypted.

  13. Optional: To use StartTLS, select either Login or Plain from the Use STARTTLS (requires TLS to be disabled) drop-down menu.

    With StartTLS, credentials are passed in plain text to the email server before the session encryption is established.

    • StartTLS with the Login parameter sends authentication credentials in a base64 encoded string.

    • StartTLS with the Plain parameter sends authentication credentials to your mail relay in plain text.

Configuring policy notifications

Enable alert notifications for system policies.

Procedure
  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. Select one or more policies for which you want to send alerts.

  3. Under Bulk actions, select Enable notification.

  4. In the Enable notification window, select the Email notifier.

    If you have not configured any other integrations, the system displays a message that no notifiers are configured.

  5. Click Enable.

  • Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.

  • Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.

  • Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:

    • A policy violation occurs for the first time in a deployment.

    • A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.

Integrating with email on RHACS Cloud Service

You can use your existing email provider or the built-in email notifier in RHACS Cloud Service to send email alerts about policy violations.

  • To use your own email provider, you must configure the email provider as described in the section Configuring the email plugin.

  • To use the built-in email notifier, you must configure the RHACS Cloud Service email plugin.

Configuring the RHACS Cloud Service email plugin

The RHACS Cloud Service notifier sends an email to a recipient. You can specify the recipient in the integration, or RHACS Cloud Service can use annotation keys to find the recipient.

  • You can only send 250 emails per 24-hour rolling period. If you exceed this limit, RHACS Cloud Service sends emails only after the 24-hour period ends.

  • Because of rate limits, Red Hat recommends using email notifications only for critical alerts or vulnerability reports.

Procedure
  1. Go to Platform ConfigurationIntegrations.

  2. Under the Notifier Integrations section, select RHACS Cloud Service Email.

  3. Select New Integration.

  4. In the Integration name field, enter a name for your email integration.

  5. Specify the email address to which you want to send the email notifications in the Default recipient field.

  6. Optional: Enter an annotation key in Annotation key for recipient. You can use annotations to dynamically determine an email recipient. To do this:

    1. Add an annotation similar to the following example in your namespace or deployment YAML file, where email is the Annotation key that you specify in your email integration. You can create an annotation for the deployment or the namespace.

      annotations:
        email: <email_address>
    2. Use the annotation key email in the Annotation key for recipient field.

If you configured the deployment or namespace with an annotation, the RHACS Cloud Service sends the alert to the email specified in the annotation. Otherwise, it sends the alert to the default recipient.

The following rules govern how RHACS Cloud Service determines the recipient of an email notification:

  • If the deployment has an annotation key, the annotation’s value overrides the default value.

  • If the namespace has an annotation key, the namespace’s value overrides the default value.

  • If a deployment has an annotation key and a defined audience, RHACS Cloud Service sends an email to the audience specified in the key.

  • If a deployment does not have an annotation key, RHACS Cloud Service checks the namespace for an annotation key and sends an email to the specified audience.

  • If no annotation keys exist, RHACS Cloud Service sends an email to the default recipient.

Configuring policy notifications

Enable alert notifications for system policies.

Procedure
  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. Select one or more policies for which you want to send alerts.

  3. Under Bulk actions, select Enable notification.

  4. In the Enable notification window, select the RHACS Cloud Service Email notifier.

    If you have not configured any other integrations, the system displays a message that no notifiers are configured.

  5. Click Enable.

  • Red Hat Advanced Cluster Security for Kubernetes sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.

  • Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you will not receive a notification unless a violation generates a new alert.

  • Red Hat Advanced Cluster Security for Kubernetes creates a new alert for the following scenarios:

    • A policy violation occurs for the first time in a deployment.

    • A runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for a policy in that deployment.